http://www.networkinghowtos.com/howto/change-the-iptables-log-file/
An important aspect of any firewall are the log files. Iptables on Linux provides logging functionality, however by default, it will get outputted to the /var/log/messages log file. This can clutter things up, and make it hard to check the logs.
If you want to change the file that IPTables logs to, you need to set up your iptables rules to output a log prefix. Rsyslog will then be configured to pick up this prefix, and output the information to a custom log file, containing just the iptables log information.
Install rsyslog if it is not already installed.
$ sudo apt-get install -y rsyslog
Configure your iptables firewall rules to output a log prefix using the –log-prefix command:
$ sudo iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "iptables: "
(this will log connection attempts to the SSH port)
Next you need to configure rsyslog to pickup the iptables log prefix.
Create an empty rsyslog conf file for iptables.
$ sudo touch /etc/rsyslog.d/10-iptables.conf
Open this file up in a file editor.
$ sudo nano /etc/rsyslog.d/10-iptables.conf
Add the following two lines:
:msg, contains, "iptables: " -/var/log/iptables.log & ~
Save the file and exit the editor.
The first line checks the log data for the word “iptables: ” and appends it into the /var/log/iptables.log file.
The second line simply halts the processing of the log information, so that it doesnt get logged into /var/log/messages as well as the iptables.log file.
Restart rsyslog:
$ sudo service rsyslog restart
The logs should now be appearing in /var/log/iptables.log
You can verify this by tailing the log file:
$ tail -f /var/log/iptables.log
Try and connect to SSH from another machine, and you should see a log entry get created, and appear on the screen automatically.
Eg:
$ tail -f /var/log/iptables.log Feb 20 23:27:11 ubuntu kernel: [1988916.899165] iptables: IN=eth0 OUT= MAC=00:00:00:00:00:00:00: 00:00:00:00:00:00:00 SRC=192.168.0.3 DST=192.168.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30541 DF PROTO=TCP SPT=60148 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Close the ‘tail’ program using Ctrl+c.